1.2 - MDVSA-2013:053

Executive Summary

Informations
Name	MDVSA-2013:053	First vendor Publication	2013-04-05
Vendor	Mandriva	Last vendor Modification	2013-04-05
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:H/Au:N/C:N/I:P/A:N)
Cvss Base Score	1.2	Attack Range	Local
Cvss Impact Score	2.9	Attack Complexity	High
Cvss Expoit Score	1.9	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability has been found and corrected in proftpd:

ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands (CVE-2012-6095).

The updated packages have been patched to correct thies issue.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2013:053

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-362	Race Condition

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:19810

Oval ID:	oval:org.mitre.oval:def:19810
Title:	DSA-2606-1 proftpd-dfsg - symlink race
Description:	It has been discovered that in ProFTPd, an FTP server, an attacker on the same physical host as the server may be able to perform a symlink attack allowing to elevate privileges in some configurations.
Family:	unix	Class:	patch
Reference(s):	DSA-2606-1 CVE-2012-6095	Version:	5
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	proftpd-dfsg
Definition Synopsis:
Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND proftpd-dfsg DPKG is earlier than 0:1.3.3a-6squeeze5

CPE : Common Platform Enumeration

Type	Description	Count
Application	Proftpd cpe:2.3:a:proftpd:proftpd:1.3.4:d:::::: cpe:2.3:a:proftpd:proftpd:1.3.4:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.3.4:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.3.4:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.3.3:b:::::: cpe:2.3:a:proftpd:proftpd:1.3.3:a:::::: cpe:2.3:a:proftpd:proftpd:1.3.3:::::::* cpe:2.3:a:proftpd:proftpd:1.3.3:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.3.3:rc4:::::: cpe:2.3:a:proftpd:proftpd:1.3.3:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.3.3:c:::::: cpe:2.3:a:proftpd:proftpd:1.3.3:e:::::: cpe:2.3:a:proftpd:proftpd:1.3.3:d:::::: cpe:2.3:a:proftpd:proftpd:1.3.3:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.3.2:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.3.2:rc4:::::: cpe:2.3:a:proftpd:proftpd:1.3.2:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.3.2:::::::* cpe:2.3:a:proftpd:proftpd:1.3.2:c:::::: cpe:2.3:a:proftpd:proftpd:1.3.2:a:::::: cpe:2.3:a:proftpd:proftpd:1.3.2:b:::::: cpe:2.3:a:proftpd:proftpd:1.3.2:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.3.2:d:::::: cpe:2.3:a:proftpd:proftpd:1.3.2:e:::::: cpe:2.3:a:proftpd:proftpd:1.3.1:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.3.1:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.3.1:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.3.1:::::::* cpe:2.3:a:proftpd:proftpd:1.3.0:rc5:::::: cpe:2.3:a:proftpd:proftpd:1.3.0:::::::* cpe:2.3:a:proftpd:proftpd:1.3.0:a:::::: cpe:2.3:a:proftpd:proftpd:1.3.0:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.3.0:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.3.0:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.3.0:rc4:::::: cpe:2.3:a:proftpd:proftpd:1.2.9:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.2.9:::::::* cpe:2.3:a:proftpd:proftpd:1.2.9:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.2.9:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.2.8:::::::* cpe:2.3:a:proftpd:proftpd:1.2.8:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.2.8:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.2.7:::::::* cpe:2.3:a:proftpd:proftpd:1.2.7:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.2.7:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.2.7:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.2.6:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.2.6:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.2.6:::::::* cpe:2.3:a:proftpd:proftpd:1.2.5:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.2.5:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.2.5:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.2.5:::::::* cpe:2.3:a:proftpd:proftpd:1.2.4:::::::* cpe:2.3:a:proftpd:proftpd:1.2.3:::::::* cpe:2.3:a:proftpd:proftpd:1.2.2:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.2.2:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.2.2:::::::* cpe:2.3:a:proftpd:proftpd:1.2.2:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.2.10:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.2.10:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.2.10:::::::* cpe:2.3:a:proftpd:proftpd:1.2.10:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.2.1:::::::* cpe:2.3:a:proftpd:proftpd:1.2.0:rc3:::::: cpe:2.3:a:proftpd:proftpd:1.2.0:rc2:::::: cpe:2.3:a:proftpd:proftpd:1.2.0:::::::* cpe:2.3:a:proftpd:proftpd:1.2.0:rc1:::::: cpe:2.3:a:proftpd:proftpd:1.2.0:pre10:::::: cpe:2.3:a:proftpd:proftpd:1.2.0:pre9:::::: cpe:2.3:a:proftpd:proftpd::::::::	71

Nessus® Vulnerability Scanner

Date	Description
2015-01-19	Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_proftpd_20130924.nasl - Type : ACT_GATHER_INFO
2013-09-25	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201309-15.nasl - Type : ACT_GATHER_INFO
2013-06-24	Name : The remote FTP server is affected by an arbitrary file overwrite vulnerability. File : proftpd_mkd_xmkd_file_overwrite.nasl - Type : ACT_GATHER_INFO
2013-04-20	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-053.nasl - Type : ACT_GATHER_INFO
2013-01-31	Name : The remote Fedora host is missing a security update. File : fedora_2013-0437.nasl - Type : ACT_GATHER_INFO
2013-01-31	Name : The remote Fedora host is missing a security update. File : fedora_2013-0468.nasl - Type : ACT_GATHER_INFO
2013-01-31	Name : The remote Fedora host is missing a security update. File : fedora_2013-0483.nasl - Type : ACT_GATHER_INFO
2013-01-14	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2606.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:43:26	Multiple Updates
2013-04-05 21:17:34	First insertion

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	1
CPE ID(s)	71
Nessus® Exploit(s)	8

	Related
1.2	CVE-2012-6095
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)

1.2 - MDVSA-2013:053

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU